Over seventy percent of small financial institutions are experiencing an increase in fraud rates (PYMNTS). Fraud attacks are not only increasing, but they are also becoming more sophisticated. Even some old threats are being revived with new tactics. At Envisant, our fraud team has identified six trends in 2023 that credit unions should watch. These are outlined below along with some best practices for addressing them.
- Enumeration – This tactic involves utilizing compromised BIN numbers and submitting numerous online transaction attempts while guessing at missing details to gain more information associated with the BIN, including the full account number, CVV2, and/or expiration date. This remains among the top current threats.
When an enumeration or BIN attack takes place, the issuer’s authorization volume will be significantly increased. Most, if not all, will be declined. Typically, the card numbers, CVV2 or expiration date will be invalid.
- Report the testing.
- Monitor transaction indicators such as repeated CVV2 failures, invalid expiration dates, and invalid PAN.
- Review authorization reports for sudden increase in authorization requests.
- Account Takeover (ATO) – Account takeover is an attack in which criminals take ownership of members’ accounts through digital and point of sale skimming as well as fraudulent emails, texts and phone calls.
- Communicate with members through email, social media, on hold messages, and website banners that your credit union will never request them to share a full card number, social security number, PIN, one-time passcode, or two factor authentication code. Advise them to avoid sharing their online banking credentials, no matter who asks.
- Provide examples of common “red flags” that are seen in fraudulent emails and texts. These include email addresses that don’t match the sender’s organization, the use of generic versus personalized language, the use of urgent and hyperbolic language, and grammatical mistakes. They also need to watch for embedded hyperlinks to unfamiliar websites or that make use of urls that don’t match the official site’s online address.
- Encourage members to follow their instincts. If they have any concerns about an automated call, text message, or email they should not respond. Remind members they can always call the number on the back of their card or contact the credit union directly instead.
- In the event of a breach, notify members immediately.
- Alert local law enforcement.
- Synthetic Identity Fraud – This tactic involves combining stolen information with falsified details to form a new identity.
Make sure account openings follow all procedures, especially online openings. The Fed has a toolkit to help at fedpaymentsimprovement.org.
- eCommerce Skimming – Placing malicious code on merchant site checkout pages allows fraudsters to harvest payment data including PAN, CVV2, and card expiration date, often along with personally identifiable information. This is most common on platforms that are not regularly updated or properly secured.
Educate members to:
- Avoid clicking on unfamiliar links.
- Update their own software protections.
- Use secure acceptance technology when making online purchases such as a ApplePay, Google, or Samsung Pay. 3D Secure will also protect against online fraud.
- Automated Fuel Dispenser (AFD) Fraud – Fraudsters are going beyond card skimming at gas pumps by taking advantage of status check authorization settings. Transactions are sent as a US$1 status check authorization to ensure the payment account is valid. Issuers receive the US$1 status check authorization, but if the core is not set up to hold the full amount charged fraudsters can purchase beyond what funds are available, costing issuers money.
Correctly managing the status check authorization by specifying hold amounts that reflect actual transactions prevents fraudsters from performing multiple AFD transactions and surpassing the account balance associated with the cards.
- ATM Fraud – This was on the decline thanks to EMV chip technology, but fraudsters have begun damaging ATM machine readers with inserts that cause the EMV chip reader not to work. A fallback is then allowed to use the magnetic strip instead. Fraudsters take advantage of fallbacks to skim the card information. Smaller, more sophisticated skimmers and cameras are making it challenging to detect.
- Issuers need to set up fallback limits on cardbase for ATM & POS transactions.
- Keep machine hardware well maintained and updated.
With fraud attacks on the rise, paying attention to trends like these six and the best practices to address them can help your credit union defend against fraudsters’ tactics. Overall, member education is a key part of that strategy along with tools like self-service controls and multi-factor authentication. Of course, your credit union also needs the most rigorous, fraud detection solutions available to react quickly.
At Envisant, our team of fraud experts is here to help keep credit unions and their members protected against fraud attacks. To learn how we can help, please contact 1-800-942-7124.